Supported features compared to xtables: Difference between revisions
|  (→tcpmss) | |||
| Line 153: | Line 153: | ||
| ==== tcpmss ====                                                                   | ==== tcpmss ====                                                                   | ||
| * nft_exthdr, since 4.14 | * nft_exthdr, since 4.14 | ||
| ==== tproxy ==== | |||
| * nft_tproxy, since 4.19 | |||
| ==== udp ====                                                                   | ==== udp ====                                                                   | ||
| * nft_payload | * nft_payload | ||
Revision as of 17:28, 10 October 2019
Last update: Aug/2018
This page tracks the list of supported and unsupported extensions with comments and suggestions.
Unsupported extensions
matches: xt
bpf
- consider native interface
cluster
- consider native interface
rateest
- consider native interface
string
- consider native interface
u32
- raw expressions?
targets: xt
CHECKSUM
- add nft_payload.
- To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
- See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
- See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090
CT
- nft_ct_target. Refer to Matching_connection_tracking_stateful_metainformation.
IDLETIMER
- consider native interface
LED
- consider native (need this?)
NETMAP
- nft_nat.
RATEEST
- consider native interface
TCPOPTSTRIP
- consider native interface, need to extend nft_exthdr.c
targets: ipv4
TTL
targets: ipv6
NPT
- consider native interface
targets: bridge
arpreply
- consider native interface
watchers: bridge
log
- nft_log
nflog
- nft_log
targets: arp
TODO
Supported extensions
matches: xt
addrtype
- nft_fib, starting with 4.10 kernel. Refer to Routing_information.
cgroup
- nft_meta. Refer to Quick_reference-nftables_in_10_minutes#Meta.
[Awaits support for cgroup2]
comment
- Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule.
connbytes
- nft_ct, 4.5 kernel. Refer to Meters.
connlabel
- nft_meta, since 3.16.
connlimit
- consider native interface. Refer to Meters.
connmark
- nft_meta.
conntrack
- nft_ct.
cpu
- nft_meta, since 3.18.
dccp
- nft_payload.
[Unsupported option : dccp-option]
devgroup
- nft_meta, since 3.18.
dscp
- nft_payload.
ecn
- nft_payload.
esp
- nft_payload.
hashlimit
- meter statement. Refer to Meters.
helper
- nft_ct.
ipcomp
- nft_payload.
[Unsupported option : compres]
iprange
- nft_payload, through native range support. To emulate iptables --ports you need two rules.
ipvs
- consider native interface. Refer to Load balancing.
length
- nft_meta.
limit
- nft_limit. Refer to Stateful objects.
mac
- nft_payload.
mark
- nft_meta.
multiport
- nft_payload.
[Unsupported option : ports]
nfacct
- consider native interface. Refer to Stateful objects.
osf
- consider native interface
owner
- nft_meta.
[Unsupported option : socket-exists]
pkttype
- nft_meta
policy
- nft_xfrm, upcoming linux 4.20 (5.0?)
sctp
- nft_payload.
[Unsupported option: --chunk-types]
socket
- consider native interface
statistic
- nft_numgen. Refer to Load balancing.
tproxy
- nft_tproxy
recent
- consider native interface. Refer to Sets.
set
- Use native nf_tables set infrastructure.
state
- nft_ct
tcp
- nft_payload
tcpmss
- nft_exthdr, since 4.14
tproxy
- nft_tproxy, since 4.19
udp
- nft_payload
targets: xt
AUDIT
- nft_log, since 4.18.
CLASSIFY
- nft_meta, since 3.14.
CONNMARK
- nft_ct
CONNSECMARK
- nft_ct, since 4.20
DSCP
HL
- nft_payload
HMARK
- nft_meta + nft_hash.
MARK
- nft_meta, since 3.14.
NFLOG
- nft_log, since 3.17.
NFQUEUE
- nft_queue, since 3.14.
SECMARK
- nft_meta, since 4.20
TEE
- nft_dup, since 4.3.
TPROXY
- nft_tproxy, upcoming release (4.19)
TRACE
- nft_meta, since 3.14.
TCPMSS
- nft_exthdr, since 4.14
matches: ipv4
ah
- nft_payload + nft_cmp
icmp
- nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
realm
- nft_meta, through NFT_META_RTCLASSID.
rp_filter
- nft_fib, starting with 4.10 kernel
ttl
matches: ipv6
rp_filter
- nft_fib, starting with 4.10 kernel
ah
- nft_payload + nft_cmp.
eui64
- nft_payload + nft_cmp.
frag
- nft_exthdr + nft_cmp.
hbh
- nft_exthdr + nft_cmp.
HBH options are not supported yet. [Unsupported option: --hbh-opts]
hl
- nft_payload.
icmp6
- nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
ipv6header
- nft_exthdr + nft_cmp.
mh
- nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
rt
- nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]
targets: ipv4
ECN
- nft_payload
DNAT
- nft_nat, since 3.13.
LOG
- nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18.
REDIRECT
- nft_redirect, since 3.19.
REJECT
- nft_reject_ipv4, since 3.13.
- nft_reject_inet, since 3.14.
- nft_reject_bridge, since 3.18.
SNAT
- nft_nat, since 3.13.
targets: ipv6
DNAT
- nft_nat, since 3.13.
LOG
- nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18.
REDIRECT
- nft_redirect, since 3.19.
REJECT
- nft_reject_ipv6, since 3.14.
- nft_reject_inet, since 3.14.
- nft_reject_bridge, since 3.18.
SNAT
- nft_nat, since 3.13.
matches: bridge
802.3
- nft_payload
among
- sets
arp
- nft_payload
ip
- nft_payload
ip6
- nft_payload
limit
- nft_limit
mark
- nft_mark
pkttype
- nft_meta
stp
- nft_payload
vlan
- nft_payload
targets: bridge
dnat
- nft_payload
snat
- nft_payload
redirect
- nft_payload + nft_meta (pkttype set unicast)
mark
- nft_mark
Deprecated extensions
matches
physdev
- br_netfilter aims to be deprecated by nftables.
quota
- nfacct already provides quota support.
tos
- deprecated by dscp
targets
CLUSTERIP
- deprecated by cluster match.
TOS
- deprecated by DSCP
targets: ipv4
ULOG
- Removed from tree since 3.17.